Windows logs 4713 when it detects a change to the the domain's Kerberos policy. Kerberos policy is defined in GPOs linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy.

Unfortunately the Subject fields don't identify who actually changed the policy because Kerberos policy isn't directly configured by administrators. Instead it is edited in a group policy object which then gets applied to the computer. Therefore this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above.

Security ID: The SID of the account.

Account Name: The account logon name.

Account Domain: The domain or - in the case of local accounts - computer name.

Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

KerMinT:

MinTicketAge

minimum time period, in hours, that a user's ticket-granting ticket (TGT) can be used for Kerberos authentication before a request can be made to renew the ticket

KerMaxT:

MaxTicketAge

maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used for the purpose of Kerberos authentication. When a user's TGT expires, a new one must be requested or the existing one must be renewed

KerMaxR:

MaxRenewAge

time period, in days, during which a user's ticket-granting ticket (TGT) can be renewed for purposes of Kerberos authentication